13

In my ASP.Net application I'm using URL routing.
The url format is somewhat like: http://site/{culture}/project/{id}.

To allow users to visit the login and recovery page, I've added the following entries to my web.config:

<location path="en-GB/login">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

<location path="nl-NL/login">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

<location path="login">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

Is there a form of notation so that I can skip the en-GB part and replace it with a wildcard?
I want the login and recovery page etc. to be available regardless of the culture.

Yvo
  • 18,681
  • 11
  • 71
  • 90

2 Answers2

3

I don't believe you can place relative paths in the root web.config, but that isn't a concern. You can use the support of nested Web.Config files to your advantage.

You can place a web.config file similar to this in any of your sub directories (adjusting to suit the needs of that specific directory) and you'll get the support you seek. It is also a lot easier to maintain as the settings are closer to the code files they control.

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
</configuration>

The overall configuration for authentication types, roles, etc. would be done in the web.config in your applications root directory. As a result, you can't set a separate login page per directory from this method, but you could have a login page that automatically handled a redirect when needed (by analyzing the ReturnURL QueryString value).

Frazell Thomas
  • 6,031
  • 1
  • 20
  • 21
  • 2
    Unfortunately these aren't real directories. I'm using url routing. There is no en-GB or nl-NL folder etc etc – Yvo Dec 11 '10 at 22:18
  • So internally you are using the same files for all locales, but attaching querystring values to determine the locale? – Frazell Thomas Dec 13 '10 at 02:08
  • I'm using the same file for all locales. There is no querystring, it's done by url routing. – Yvo Dec 13 '10 at 11:12
  • Wouldn't it be easier then to perform the security check at the page/method level? – Frazell Thomas Dec 13 '10 at 14:17
  • 2
    Why is this the accepted answer if it doesn't address the fact that the locale is coming from the URL and that there are no physical 'sub-directories' per locale in which to place the recommended web.config??? – JTech Mar 19 '14 at 14:12
  • @JTech I accepted this answer because of the "I don't believe you can..." part. But you are right it doesn't fully answer the question, so I've unmarked it. – Yvo Jul 26 '15 at 17:01
1

Looking at this post, you might be able to change the extension of your login page and do something like the following:

<system.webServer>
  <security>
    <requestFiltering>
      <fileExtensions>
        <add fileExtension=".login" allowed="true" />
      </fileExtensions>
    </requestFiltering>
  </security>
</system.webServer>

I have not tried this, but it is perhaps something to attempt.

Community
  • 1
  • 1
Mark Avenius
  • 13,679
  • 6
  • 42
  • 50